diff options
| author | Eric Richter <erichte@linux.ibm.com> | 2021-11-04 12:03:06 -0500 |
|---|---|---|
| committer | Cédric Le Goater <clg@kaod.org> | 2021-11-04 22:56:56 +0100 |
| commit | e0f1a585683ada3392c6d9d542523d7f0871d971 (patch) | |
| tree | b1bc22a0242ddd579c7bbd76a32eb8455e08a1f5 | |
| parent | dde7e4fda2459d64512416b57ec9a8e69b0a3084 (diff) | |
| download | skiboot-e0f1a585683ada3392c6d9d542523d7f0871d971.zip skiboot-e0f1a585683ada3392c6d9d542523d7f0871d971.tar.gz skiboot-e0f1a585683ada3392c6d9d542523d7f0871d971.tar.bz2 | |
secvar/edk2: store timestamp variable in protected storage
Each signed variable update contains a timestamp -- this timestamp is checked
against the previous timestamp seen for that particular variable (if any), and
the update is rejected if the timestamp is not a later time than the previous.
This timestamp check is intended to prevent re-use of signed update files.
Currently, the code stores the timestamps in the TS variable, which is then
stored in regular variable storage (typically PNOR). This patch promotes the
variable to "protected storage" (typically TPM NV), so avoid this variable
being accidentally cleared.
This change should only come into effect when either:
- initializing secvar for the first time (i.e. first boot, or
after a key-clear-request)
- processing any variable update
Systems that already have a TS variable in PNOR will not be affected until
either of the above actions are taken.
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Tested-by: Nick Child <nick.child@ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit 59a247e7f4e9df2521ebb53cdc47aaa34c225fea)
Signed-off-by: Cédric Le Goater <clg@kaod.org>
| -rw-r--r-- | libstb/secvar/backend/edk2-compat-process.c | 4 | ||||
| -rw-r--r-- | libstb/secvar/backend/edk2-compat.c | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index 3361eb5..e430c71 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -44,7 +44,9 @@ int update_variable_in_bank(struct secvar *update_var, const char *data, else var->flags |= SECVAR_FLAG_VOLATILE; - if (key_equals(update_var->key, "PK") || key_equals(update_var->key, "HWKH")) + if (key_equals(update_var->key, "PK") + || key_equals(update_var->key, "HWKH") + || key_equals(update_var->key, "TS")) var->flags |= SECVAR_FLAG_PROTECTED; return 0; diff --git a/libstb/secvar/backend/edk2-compat.c b/libstb/secvar/backend/edk2-compat.c index 9e61fbc..d7975fa 100644 --- a/libstb/secvar/backend/edk2-compat.c +++ b/libstb/secvar/backend/edk2-compat.c @@ -89,6 +89,7 @@ static int edk2_compat_pre_process(struct list_head *variable_bank, memcpy(tsvar->key, "TS", 3); tsvar->key_len = 3; tsvar->data_size = sizeof(struct efi_time) * 4; + tsvar->flags = SECVAR_FLAG_PROTECTED; memset(tsvar->data, 0, tsvar->data_size); list_add_tail(variable_bank, &tsvar->link); } |